Download as
Browse Code »

Commit b4112fced040d1b45fb60694513c29e220a7791f

Authored by Perry Werneck
1 parent e6c441c5
Exists in master and in 3 other branches develop, macos, network_module

Improving SSL status information from library.

Showing 7 changed files with 98 additions and 58 deletions   Show diff stats
src/include/lib3270/popup.h
  Diff comments   View file @b4112fc
... ... @@ -68,7 +68,8 @@
68 68  
69 69 LIB3270_EXPORT void lib3270_popup_va(H3270 *session, LIB3270_NOTIFY id , const char *title, const char *message, const char *fmt, va_list);
70 70  
71   - LIB3270_EXPORT LIB3270_NOTIFY lib3270_get_ssl_state_icon(H3270 *hSession);
  71 + LIB3270_EXPORT LIB3270_NOTIFY lib3270_get_ssl_state_icon(H3270 *hSession);
  72 + LIB3270_EXPORT const char * lib3270_get_ssl_state_icon_name(H3270 *hSession);
72 73  
73 74 #ifdef __cplusplus
74 75 }
... ...
src/lib3270/private.h
  Diff comments   View file @b4112fc
... ... @@ -610,7 +610,11 @@ struct _h3270
610 610 LIB3270_SSL_STATE state;
611 611 unsigned long error;
612 612 #ifdef SSL_ENABLE_CRL_CHECK
613   - char * crl;
  613 + struct
  614 + {
  615 + char * url;
  616 + X509_CRL * cert;
  617 + } crl;
614 618 #endif // SSL_ENABLE_CRL_CHECK
615 619 SSL * con;
616 620 } ssl;
... ... @@ -704,7 +708,7 @@ LIB3270_INTERNAL int non_blocking(H3270 *session, Boolean on);
704 708 LIB3270_INTERNAL int ssl_3270_ex_index;
705 709  
706 710 #ifdef SSL_ENABLE_CRL_CHECK
707   - X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message);
  711 + int lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message);
708 712 #endif // SSL_ENABLE_CRL_CHECK
709 713  
710 714 #endif
... ...
src/lib3270/properties.c
  Diff comments   View file @b4112fc
... ... @@ -297,8 +297,8 @@
297 297 const char * lib3270_get_crl_url(H3270 *hSession)
298 298 {
299 299 #ifdef SSL_ENABLE_CRL_CHECK
300   - if(hSession->ssl.crl)
301   - return hSession->ssl.crl;
  300 + if(hSession->ssl.url)
  301 + return hSession->ssl.url;
302 302  
303 303 #ifdef SSL_DEFAULT_CRL_URL
304 304 return SSL_DEFAULT_CRL_URL;
... ...
src/lib3270/session.c
  Diff comments   View file @b4112fc
... ... @@ -75,12 +75,17 @@ void lib3270_session_free(H3270 *h)
75 75 shutdown_toggles(h);
76 76  
77 77 #ifdef SSL_ENABLE_CRL_CHECK
78   - if(h->ssl.crl)
  78 + if(h->ssl.crl.url)
79 79 {
80   - free(h->ssl.crl);
81   - h->ssl.crl = NULL;
  80 + free(h->ssl.url);
  81 + h->ssl.url = NULL;
  82 + }
  83 +
  84 + if(h->ssl.crl.cert)
  85 + {
  86 + X509_CRL_free(h->ssl.crl.cert);
  87 + h->ssl.crl.cert = NULL;
82 88 }
83   -#endif // SSL_ENABLE_CRL_CHECK
84 89  
85 90 // Release state change callbacks
86 91 for(f=0;f<LIB3270_STATE_USER;f++)
... ... @@ -92,6 +97,7 @@ void lib3270_session_free(H3270 *h)
92 97 h->st_callbacks[f] = next;
93 98 }
94 99 }
  100 +#endif // SSL_ENABLE_CRL_CHECK
95 101  
96 102 // Release memory
97 103 #define release_pointer(x) lib3270_free(x); x = NULL;
... ...
src/lib3270/ssl/ctx_init.c
  Diff comments   View file @b4112fc
... ... @@ -63,14 +63,6 @@
63 63  
64 64 /*--[ Implement ]------------------------------------------------------------------------------------*/
65 65  
66   -#ifdef SSL_ENABLE_CRL_CHECK
67   -static inline void lib3270_autoptr_cleanup_X509_CRL(X509_CRL **crl)
68   -{
69   - if(*crl)
70   - X509_CRL_free(*crl);
71   -}
72   -#endif // SSL_ENABLE_CRL_CHECK
73   -
74 66 /**
75 67 * @brief Initialize openssl library.
76 68 *
... ... @@ -138,9 +130,7 @@ int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message)
138 130 //
139 131 // https://stackoverflow.com/questions/10510850/how-to-verify-the-certificate-for-the-ongoing-ssl-session
140 132 //
141   - lib3270_autoptr(X509_CRL) crl = lib3270_get_X509_CRL(hSession,message);
142   -
143   - if(!crl)
  133 + if(lib3270_get_X509_CRL(hSession,message))
144 134 return -1;
145 135  
146 136 if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
... ... @@ -170,6 +160,7 @@ int ssl_ctx_init(H3270 *hSession, SSL_ERROR_MESSAGE * message)
170 160 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
171 161 X509_STORE_set1_param(store, param);
172 162 X509_VERIFY_PARAM_free(param);
  163 +
173 164 #endif // SSL_ENABLE_CRL_CHECK
174 165  
175 166 return 0;
... ...
src/lib3270/ssl/linux/getcrl.c
  Diff comments   View file @b4112fc
... ... @@ -215,9 +215,8 @@ static int internal_curl_trace_callback(CURL *handle unused, curl_infotype type,
215 215 #endif // HAVE_LIBCURL
216 216  
217 217  
218   -X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
  218 +int lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
219 219 {
220   - X509_CRL * crl = NULL;
221 220 const char * consturl = lib3270_get_crl_url(hSession);
222 221  
223 222 if(!(consturl && *consturl))
... ... @@ -226,7 +225,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
226 225 message->title = N_( "Security error" );
227 226 message->text = N_( "Can't open CRL File" );
228 227 message->description = N_("The URL for the CRL is undefined or empty");
229   - return NULL;
  228 + return errno = ENOENT;
230 229 }
231 230  
232 231 trace_ssl(hSession, "crl=%s\n",consturl);
... ... @@ -238,17 +237,19 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
238 237 if(!hCRL)
239 238 {
240 239 // Can't open CRL File.
  240 + int err = errno;
  241 +
241 242 message->error = hSession->ssl.error = 0;
242 243 message->title = N_( "Security error" );
243 244 message->text = N_( "Can't open CRL File" );
244 245 message->description = strerror(errno);
245 246 lib3270_write_log(hSession,"ssl","Can't open %s: %s",consturl,message->description);
246   - return NULL;
  247 + return err;
247 248  
248 249 }
249 250  
250 251 lib3270_write_log(hSession,"ssl","Loading CRL from %s",consturl+7);
251   - d2i_X509_CRL_fp(hCRL, &crl);
  252 + d2i_X509_CRL_fp(hCRL, &hSession->ssl.crl.cert);
252 253  
253 254 }
254 255 #ifdef HAVE_LDAP
... ... @@ -265,7 +266,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
265 266 message->title = N_( "Security error" );
266 267 message->text = N_( "No DN of the entry at which to start the search on the URL" );
267 268 message->description = _( "The URL argument should be in the format ldap://[HOST]/[DN]?attribute" );
268   - return NULL;
  269 + return errno = EINVAL;
269 270 }
270 271  
271 272 *(base++) = 0;
... ... @@ -277,7 +278,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
277 278 message->title = N_( "Security error" );
278 279 message->text = N_( "No LDAP attribute on the URL" );
279 280 message->description = _( "The URL argument should be in the format ldap://[HOST]/[DN]?attribute" );
280   - return NULL;
  281 + return errno = EINVAL;
281 282 }
282 283  
283 284 *(attrs[0]++) = 0;
... ... @@ -298,7 +299,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
298 299 message->text = N_( "Can't initialize LDAP" );
299 300 message->description = ldap_err2string(rc);
300 301 lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
301   - return NULL;
  302 + return -1;
302 303 }
303 304  
304 305 unsigned long version = LDAP_VERSION3;
... ... @@ -309,7 +310,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
309 310 message->text = N_( "Can't set LDAP version" );
310 311 message->description = ldap_err2string(rc);
311 312 lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
312   - return NULL;
  313 + return -1;
313 314 }
314 315  
315 316 rc = ldap_simple_bind_s(ld, "", "");
... ... @@ -320,7 +321,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
320 321 message->text = N_( "Can't bind to LDAP server" );
321 322 message->description = ldap_err2string(rc);
322 323 lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
323   - return NULL;
  324 + return -1;
324 325 }
325 326  
326 327 lib3270_autoptr(LDAPMessage) results = NULL;
... ... @@ -345,7 +346,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
345 346 message->text = N_( "Can't search LDAP server" );
346 347 message->description = ldap_err2string(rc);
347 348 lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
348   - return NULL;
  349 + return -1;
349 350 }
350 351  
351 352 char __attribute__ ((__cleanup__(lib3270_autoptr_cleanup_LDAPPTR))) *attr = ldap_first_attribute(ld, results, &ber);
... ... @@ -356,7 +357,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
356 357 message->text = N_( "Can't get LDAP attribute" );
357 358 message->description = N_("Search did not produce any attributes.");
358 359 lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
359   - return NULL;
  360 + return errno = ENOENT;
360 361 }
361 362  
362 363 struct berval ** value = ldap_get_values_len(ld, results, attr);
... ... @@ -367,7 +368,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
367 368 message->text = N_( "Can't get LDAP attribute" );
368 369 message->description = N_("Search did not produce any values.");
369 370 lib3270_write_log(hSession,"ssl","%s: %s",url, message->description);
370   - return NULL;
  371 + return errno = ENOENT;
371 372 }
372 373  
373 374 if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
... ... @@ -383,12 +384,14 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
383 384 // Precisa salvar uma cópia porque d2i_X509_CRL modifica o ponteiro.
384 385 const unsigned char *crl_data = (const unsigned char *) value[0]->bv_val;
385 386  
386   - if(!d2i_X509_CRL(&crl, &crl_data, value[0]->bv_len))
  387 + if(!d2i_X509_CRL(&hSession->ssl.crl.cert, &crl_data, value[0]->bv_len))
387 388 {
388 389 message->error = hSession->ssl.error = ERR_get_error();
389 390 message->title = N_( "Security error" );
390 391 message->text = N_( "Can't get CRL from LDAP Search" );
391 392 lib3270_write_log(hSession,"ssl","%s: %s",url, message->text);
  393 + ldap_value_free_len(value);
  394 + return -1;
392 395 }
393 396  
394 397 ldap_value_free_len(value);
... ... @@ -448,7 +451,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
448 451 }
449 452  
450 453 lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
451   - return NULL;
  454 + return -1;
452 455  
453 456 }
454 457  
... ... @@ -461,21 +464,8 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
461 464 message->text = N_( "Error loading CRL" );
462 465 message->description = curl_easy_strerror(res);
463 466 lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
464   - return NULL;
465   - }
466   -
467   - /*
468   - if(lib3270_get_toggle(hSession,LIB3270_TOGGLE_SSL_TRACE))
469   - {
470   - lib3270_autoptr(char) msg = lib3270_strdup_printf("CRL Data received with content-type \"%s\"", (ct ? ct : "undefined"));
471   - lib3270_trace_data(
472   - hSession,
473   - msg,
474   - (const char *) crl_data->contents,
475   - crl_data->length
476   - );
  467 + return -1;
477 468 }
478   - */
479 469  
480 470 if(ct)
481 471 {
... ... @@ -484,13 +474,13 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
484 474 if(strcasecmp(ct,"application/pkix-crl") == 0)
485 475 {
486 476 // CRL File, convert it
487   - if(!d2i_X509_CRL(&crl, &data, crl_data->length))
  477 + if(!d2i_X509_CRL(&hSession->ssl.crl.cert, &data, crl_data->length))
488 478 {
489 479 message->error = hSession->ssl.error = ERR_get_error();
490 480 message->title = N_( "Security error" );
491 481 message->text = N_( "Got an invalid CRL from server" );
492 482 lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text);
493   - return NULL;
  483 + return -1;
494 484 }
495 485 }
496 486 else
... ... @@ -499,7 +489,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
499 489 message->title = N_( "Security error" );
500 490 message->text = N_( "Got an invalid CRL from server" );
501 491 lib3270_write_log(hSession,"ssl","%s: content-type unexpected: \"%s\"",consturl, ct);
502   - return NULL;
  492 + return -1;
503 493 }
504 494 }
505 495 else if(strncasecmp(consturl,"ldap://",7) == 0)
... ... @@ -512,7 +502,7 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
512 502 message->title = N_( "Security error" );
513 503 message->text = N_( "Got an invalid CRL from LDAP server" );
514 504 lib3270_write_log(hSession,"ssl","%s: invalid format:\n%s\n",consturl, crl_data->contents);
515   - return NULL;
  505 + return -1;
516 506 }
517 507 data += 3;
518 508  
... ... @@ -523,13 +513,13 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
523 513  
524 514 BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
525 515  
526   - if(!d2i_X509_CRL_bio(bio, &crl))
  516 + if(!d2i_X509_CRL_bio(bio, &hSession->ssl.crl.cert))
527 517 {
528 518 message->error = hSession->ssl.error = ERR_get_error();
529 519 message->title = N_( "Security error" );
530 520 message->text = N_( "Got an invalid CRL from server" );
531 521 lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->text);
532   - return NULL;
  522 + return -1;
533 523 }
534 524  
535 525 }
... ... @@ -544,11 +534,11 @@ X509_CRL * lib3270_get_X509_CRL(H3270 *hSession, SSL_ERROR_MESSAGE * message)
544 534 message->text = N_( "Unexpected or invalid CRL URL" );
545 535 message->description = N_("The URL scheme is unknown");
546 536 lib3270_write_log(hSession,"ssl","%s: %s",consturl, message->description);
547   - return NULL;
  537 + return errno = EINVAL;
548 538 #endif // HAVE_LIBCURL
549 539 }
550 540  
551   - return crl;
  541 + return hSession->ssl.crl.cert == NULL ? -1 : 0;
552 542  
553 543 }
554 544  
... ...
src/lib3270/ssl/state.c
  Diff comments   View file @b4112fc
... ... @@ -84,6 +84,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
84 84 {
85 85 long id;
86 86 LIB3270_NOTIFY icon;
  87 + const char * iconName; // Icon name from https://specifications.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html
87 88 const char * message;
88 89 const char * description;
89 90 }
... ... @@ -93,6 +94,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
93 94 {
94 95 X509_V_OK,
95 96 LIB3270_NOTIFY_SECURE,
  97 + "security-high",
96 98 N_( "Secure connection was successful." ),
97 99 N_( "The connection is secure and the host identity was confirmed." )
98 100 },
... ... @@ -100,6 +102,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
100 102 {
101 103 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT,
102 104 LIB3270_NOTIFY_ERROR,
  105 + "dialog-error",
103 106 N_( "Unable to get issuer certificate" ),
104 107 N_( "The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete." )
105 108 },
... ... @@ -107,6 +110,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
107 110 {
108 111 X509_V_ERR_UNABLE_TO_GET_CRL,
109 112 LIB3270_NOTIFY_ERROR,
  113 + "dialog-error",
110 114 N_( "Unable to get certificate CRL." ),
111 115 N_( "The Certificate revocation list (CRL) of a certificate could not be found." )
112 116 },
... ... @@ -114,6 +118,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
114 118 {
115 119 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
116 120 LIB3270_NOTIFY_ERROR,
  121 + "dialog-error",
117 122 N_( "Unable to decrypt certificate's signature" ),
118 123 N_( "The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys." )
119 124 },
... ... @@ -121,6 +126,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
121 126 {
122 127 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE,
123 128 LIB3270_NOTIFY_ERROR,
  129 + "dialog-error",
124 130 N_( "Unable to decrypt CRL's signature" ),
125 131 N_( "The CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused." )
126 132 },
... ... @@ -128,6 +134,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
128 134 {
129 135 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY,
130 136 LIB3270_NOTIFY_ERROR,
  137 + "dialog-error",
131 138 N_( "Unable to decode issuer public key" ),
132 139 N_( "The public key in the certificate SubjectPublicKeyInfo could not be read." )
133 140 },
... ... @@ -135,6 +142,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
135 142 {
136 143 X509_V_ERR_CERT_SIGNATURE_FAILURE,
137 144 LIB3270_NOTIFY_ERROR,
  145 + "dialog-error",
138 146 N_( "Certificate signature failure" ),
139 147 N_( "The signature of the certificate is invalid." )
140 148 },
... ... @@ -142,6 +150,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
142 150 {
143 151 X509_V_ERR_CRL_SIGNATURE_FAILURE,
144 152 LIB3270_NOTIFY_ERROR,
  153 + "dialog-error",
145 154 N_( "CRL signature failure" ),
146 155 N_( "The signature of the certificate is invalid." )
147 156 },
... ... @@ -149,6 +158,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
149 158 {
150 159 X509_V_ERR_CERT_NOT_YET_VALID,
151 160 LIB3270_NOTIFY_WARNING,
  161 + "dialog-warning",
152 162 N_( "Certificate is not yet valid" ),
153 163 N_( "The certificate is not yet valid: the notBefore date is after the current time." )
154 164 },
... ... @@ -156,6 +166,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
156 166 {
157 167 X509_V_ERR_CERT_HAS_EXPIRED,
158 168 LIB3270_NOTIFY_ERROR,
  169 + "dialog-error",
159 170 N_( "Certificate has expired" ),
160 171 N_( "The certificate has expired: that is the notAfter date is before the current time." )
161 172 },
... ... @@ -163,6 +174,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
163 174 {
164 175 X509_V_ERR_CRL_NOT_YET_VALID,
165 176 LIB3270_NOTIFY_WARNING,
  177 + "dialog-error",
166 178 N_( "The CRL is not yet valid." ),
167 179 N_( "The Certificate revocation list (CRL) is not yet valid." )
168 180 },
... ... @@ -174,6 +186,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
174 186 #else
175 187 LIB3270_NOTIFY_WARNING,
176 188 #endif // SSL_ENABLE_CRL_EXPIRATION_CHECK
  189 + "security-medium",
177 190 N_( "The CRL has expired." ),
178 191 N_( "The Certificate revocation list (CRL) has expired.")
179 192 },
... ... @@ -181,6 +194,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
181 194 {
182 195 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD,
183 196 LIB3270_NOTIFY_ERROR,
  197 + "dialog-error",
184 198 N_( "Format error in certificate's notBefore field" ),
185 199 N_( "The certificate notBefore field contains an invalid time." )
186 200 },
... ... @@ -188,6 +202,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
188 202 {
189 203 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD,
190 204 LIB3270_NOTIFY_ERROR,
  205 + "dialog-error",
191 206 N_( "Format error in certificate's notAfter field" ),
192 207 N_( "The certificate notAfter field contains an invalid time." )
193 208 },
... ... @@ -195,6 +210,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
195 210 {
196 211 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
197 212 LIB3270_NOTIFY_ERROR,
  213 + "dialog-error",
198 214 N_( "Format error in CRL's lastUpdate field" ),
199 215 N_( "The CRL lastUpdate field contains an invalid time." )
200 216 },
... ... @@ -202,6 +218,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
202 218 {
203 219 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD,
204 220 LIB3270_NOTIFY_ERROR,
  221 + "dialog-error",
205 222 N_( "Format error in CRL's nextUpdate field" ),
206 223 N_( "The CRL nextUpdate field contains an invalid time." )
207 224 },
... ... @@ -209,6 +226,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
209 226 {
210 227 X509_V_ERR_OUT_OF_MEM,
211 228 LIB3270_NOTIFY_ERROR,
  229 + "dialog-error",
212 230 N_( "Out of memory" ),
213 231 N_( "An error occurred trying to allocate memory. This should never happen." )
214 232 },
... ... @@ -216,6 +234,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
216 234 {
217 235 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
218 236 LIB3270_NOTIFY_WARNING,
  237 + "security-medium",
219 238 N_( "Self signed certificate" ),
220 239 N_( "The passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates." )
221 240 },
... ... @@ -224,10 +243,12 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
224 243 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
225 244 #ifdef SSL_ENABLE_SELF_SIGNED_CERT_CHECK
226 245 LIB3270_NOTIFY_ERROR,
  246 + "security-medium",
227 247 N_( "The SSL certificate for this host is not trusted." ),
228 248 N_( "The security certificate presented by this host was not issued by a trusted certificate authority." )
229 249 #else
230 250 LIB3270_NOTIFY_WARNING,
  251 + "security-medium",
231 252 N_( "Self signed certificate in certificate chain" ),
232 253 N_( "The certificate chain could be built up using the untrusted certificates but the root could not be found locally." )
233 254 #endif // SSL_ENABLE_SELF_SIGNED_CERT_CHECK
... ... @@ -236,6 +257,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
236 257 {
237 258 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
238 259 LIB3270_NOTIFY_WARNING,
  260 + "security-low",
239 261 N_( "Unable to get local issuer certificate" ),
240 262 N_( "The issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found." )
241 263 },
... ... @@ -243,6 +265,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
243 265 {
244 266 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
245 267 LIB3270_NOTIFY_ERROR,
  268 + "security-low",
246 269 N_( "Unable to verify the first certificate" ),
247 270 N_( "No signatures could be verified because the chain contains only one certificate and it is not self signed." )
248 271 },
... ... @@ -250,6 +273,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
250 273 {
251 274 X509_V_ERR_CERT_REVOKED,
252 275 LIB3270_NOTIFY_ERROR,
  276 + "security-low",
253 277 N_( "Certificate revoked" ),
254 278 N_( "The certificate has been revoked." )
255 279 },
... ... @@ -257,6 +281,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
257 281 {
258 282 X509_V_ERR_INVALID_CA,
259 283 LIB3270_NOTIFY_ERROR,
  284 + "security-low",
260 285 N_( "Invalid CA certificate" ),
261 286 N_( "A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose." )
262 287 },
... ... @@ -264,6 +289,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
264 289 {
265 290 X509_V_ERR_PATH_LENGTH_EXCEEDED,
266 291 LIB3270_NOTIFY_ERROR,
  292 + "dialog-error",
267 293 N_( "Path length constraint exceeded" ),
268 294 N_( "The basicConstraints pathlength parameter has been exceeded." ),
269 295 },
... ... @@ -271,6 +297,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
271 297 {
272 298 X509_V_ERR_INVALID_PURPOSE,
273 299 LIB3270_NOTIFY_ERROR,
  300 + "dialog-error",
274 301 N_( "Unsupported certificate purpose" ),
275 302 N_( "The supplied certificate cannot be used for the specified purpose." )
276 303 },
... ... @@ -278,6 +305,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
278 305 {
279 306 X509_V_ERR_CERT_UNTRUSTED,
280 307 LIB3270_NOTIFY_WARNING,
  308 + "security-low",
281 309 N_( "Certificate not trusted" ),
282 310 N_( "The root CA is not marked as trusted for the specified purpose." )
283 311 },
... ... @@ -285,6 +313,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
285 313 {
286 314 X509_V_ERR_CERT_REJECTED,
287 315 LIB3270_NOTIFY_ERROR,
  316 + "security-low",
288 317 N_( "Certificate rejected" ),
289 318 N_( "The root CA is marked to reject the specified purpose." )
290 319 },
... ... @@ -292,6 +321,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
292 321 {
293 322 X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
294 323 LIB3270_NOTIFY_ERROR,
  324 + "security-low",
295 325 N_( "Subject issuer mismatch" ),
296 326 N_( "The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. Only displayed when the -issuer_checks option is set." )
297 327 },
... ... @@ -299,6 +329,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
299 329 {
300 330 X509_V_ERR_AKID_SKID_MISMATCH,
301 331 LIB3270_NOTIFY_ERROR,
  332 + "dialog-error",
302 333 N_( "Authority and subject key identifier mismatch" ),
303 334 N_( "The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set." )
304 335 },
... ... @@ -306,6 +337,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
306 337 {
307 338 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
308 339 LIB3270_NOTIFY_ERROR,
  340 + "dialog-error",
309 341 N_( "Authority and issuer serial number mismatch" ),
310 342 N_( "The current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate. Only displayed when the -issuer_checks option is set." )
311 343 },
... ... @@ -313,6 +345,7 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
313 345 {
314 346 X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
315 347 LIB3270_NOTIFY_ERROR,
  348 + "dialog-error",
316 349 N_( "Key usage does not include certificate signing" ),
317 350 N_( "The current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing." )
318 351 }
... ... @@ -341,9 +374,24 @@ void set_ssl_state(H3270 *hSession, LIB3270_SSL_STATE state)
341 374 return gettext(info->message);
342 375 }
343 376  
344   - return lib3270_get_hostname(hSession);
  377 + return _( "The connection is insecure" );
  378 +
  379 + }
  380 +
  381 + const char * lib3270_get_ssl_state_icon_name(H3270 *hSession)
  382 + {
  383 + if(lib3270_get_secure(hSession) != LIB3270_SSL_UNSECURE)
  384 + {
  385 + const struct ssl_status_msg *info = get_ssl_status_msg(hSession);
  386 + if(info)
  387 + return info->iconName;
  388 + }
  389 +
  390 + return "dialog-error";
  391 +
345 392 }
346 393  
  394 +
347 395 const char * lib3270_get_ssl_state_description(H3270 *hSession)
348 396 {
349 397 if(lib3270_get_secure(hSession) != LIB3270_SSL_UNSECURE)
... ...